6

I am using Windows 7 firewall with outbound filtering enabled. Windows Firewall does not provide an UI for new outbound connection prompts, it just blocks them. Windows Firewall Control solves this using a workaround - it enables audit logging of packet/connection drop failures, monitors the Security log for new entries, and brings up prompts as needed.

I have spent time crafting a list of outbound Allow rules for all system services and applications that need to make outbound connections. Windows Firewall is able to target specific services within svchost.exe, allowing pretty fine-grained control. I have come across only two things where this doesn't work - Network Discovery, and Cryptographic Services.

I have the following rule enabled:

netsh advfirewall firewall add rule name="Windows Cryptographic Services"
  program="%SystemRoot%\System32\svchost.exe" service=CryptSvc 
  protocol=tcp remoteport=80,443 dir=out action=allow

However, I still keep getting blocks originating from the svchost.exe hosting CryptSvc, trying to make outbound http connections to verify certificates and such. I even used sc config CryptSvc type=own to isolate the service into its own container, to confirm that it's indeed CryptSvc making these requests. And even then, the rule would still not match. There are many other rules with the same structure, just different target service, where everything works just fine.

So far I could not find a satisfactory workaround. Allowing 'everything' for CryptSvc still won't make it match. The scope needs to be at least 'all services' for it to match, and this is too broad. I can add an ignore rule for svchost.exe in WFC, but that, again, is too broad for my liking. I'd prefer a systematic solution.

EDIT: Trying to edit my firewall rule pops up the a warning box:

Windows services have been restricted with rules that allow expected behavior only. Rules that specify host processes, such as svchost.exe, might not work as expected because they can conflict with Windows service-hardening rules.

Are you sure that you want to create a rule referencing this process?

Could be that this 'hardening' is interfering with the firewall's mechanism for identifying the originating service.

theultramage
  • 346

1 Answers1

1

Long ago, but still a valid question. Since the problem persists here is my Solution

  1. Open a CMD Window and get the SID of the cryptsvc service: sc showsid cryptsvc
  2. Create an advanced outbound firewall rule for some program (arbitrary)
  3. EDIT the properties of this rule: Programs and Services, Programs ALL, Application Packages use last option to apply following Application-SID and paste your SID from the CMD Window in here
  4. Ports and Protocols TCP 80, 443 instead Allow TCP ALL
WildTbag
  • 11